My computer is infected with win32/cryptor.
The problem is:
1. Exactly every 5-6 minutes, AVG springs up a message box saying: Threat detected, win32/cryptor; Process: C:windowssystem32svchost.exe.
However, the infected file's location is: C:windowstempabcd.tmpsvchost.exe. I have to move this particular file to the AVG vault.
2. On a complete scan, AVG, Malwarebytes, Spybot or even the online scanner at Eset did not detect it!
3. On running process explorer, the service corresponding to "DCOM Server Process Launcher Plug and Play" shows activity just before the message box from AVG comes up. Meaning, if I suspend this process using process explorer, the virus shows no activity and the messages boxes stop. However, I can't completely kill the process because it is an important process to run the computer.
My theory is: The virus has embedded itself in C:windowssystem32svchost.exe and is creating infected copies of svchost.exe @ C:windowstemp and trying to run the infected file... that's when AVG stops it in it's tracks and the computer runs normally for the next 5 to 6 minutes. I have attached a screenshot of the message AVG displays...
I wonder if someone could help me out here... Cannot remove this thing, have been trying since three days!
EDIT to add:
Hi,
This is the service that shows high activity by the process explorer moments before the message box comes up...
I'm beginning to wonder if the computer is really infected...?
Attached Files
Edited by garmanma, 28 January 2010 - 10:26 AM.